This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] Limit IPs on DomU

To: Sebastian Igerl <sig@xxxxxxxxx>
Subject: Re: [Xen-users] Limit IPs on DomU
From: John Haxby <john.haxby@xxxxxxxxxx>
Date: Fri, 19 Sep 2008 11:18:18 +0100
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Fri, 19 Sep 2008 03:19:08 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <1221809554.6308.10.camel@sigerl-desktop>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <435869253@xxxxxx> <1221809554.6308.10.camel@sigerl-desktop>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Thunderbird (X11/20080723)
Sebastian Igerl wrote:
I want to limit the IPs/Mac a DOMU can have.. if a DomU uses an ip address other than i intended to do or changes his
MAC Address all packed should be dropped..
ebtables (http://ebtables.sourceforge.net/) is good for this, but it is possible to use iptables under some conditions: http://ebtables.sourceforge.net/examples.html#ex_anti-spoof

You can extend the ebtables example to include a "--in-interface" match to pin the MAC/IP address pair to a specific device, but, of course, you'd have to do this at the time the domain is created.

I can't remember the circumstances under which iptables filtering will work, but I know it often doesn't because iptables doesn't see bridge traffic. There's lots more about this in the ebtables documentation.


Xen-users mailing list